4dc0da2b2063d13008a1543d8813edfeaad02b26afaa9d7ddda11ab795cdf6ff

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4dc0da2b2063d13008a1543d8813edfeaad02b26afaa9d7ddda11ab795cdf6ff_NeikiAnalytics.exe
Size

125KB
MD5

b0426859cd58c37c8b7862cd45092ce0
SHA1

090fb07359ed419798006438e2c067a837ab55af
SHA256

4dc0da2b2063d13008a1543d8813edfeaad02b26afaa9d7ddda11ab795cdf6ff
SHA512

0f35f537976baf2eb9a7662f0a71cf3bff98c9b90850248df716fe0de86b312640891b650e5d21f378851c818666242c4401a7b48c168476b6bd38ddb7786e37
SSDEEP

3072:O4UnietAUpRMtFbmdghHMt9gO8Lce1WdTCn93OGey/ZhJakrPF:LUNAUpAdmaKwcVTCndOGeKTaG

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mhhfdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olonpp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogmhkmki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	4dc0da2b2063d13008a1543d8813edfeaad02b26afaa9d7ddda11ab795cdf6ff_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhhfdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qngmgjeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgcdki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lanaiahq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mhjbjopf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgbafl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lanaiahq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfmffhde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ohendqhd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qngmgjeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiqpop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liplnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olonpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqhijbog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajpjakhc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blobjaba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Linphc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojigbhlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Biojif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jgcdki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liplnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmldme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncmfqkdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqhijbog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkdgpo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biojif32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4dc0da2b2063d13008a1543d8813edfeaad02b26afaa9d7ddda11ab795cdf6ff_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhjbjopf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncmfqkdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Achojp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kebgia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Linphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmldme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npccpo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohendqhd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfknbe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfmffhde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npccpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kiqpop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mofglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mofglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oebimf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkdgpo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajpjakhc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kebgia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaldcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaldcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfknbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kjifhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nckjkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeohnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bobhal32.exe

Executes dropped EXE 36 IoCs

pid	Process
2688	Jgcdki32.exe
2712	Jfknbe32.exe
2852	Kjifhc32.exe
2768	Kebgia32.exe
2776	Kiqpop32.exe
2624	Kaldcb32.exe
672	Lanaiahq.exe
2820	Lfmffhde.exe
1748	Linphc32.exe
2020	Liplnc32.exe
1808	Mhhfdo32.exe
1112	Mhjbjopf.exe
1228	Mofglh32.exe
1636	Mmldme32.exe
2288	Nckjkl32.exe
2088	Ncmfqkdj.exe
2684	Nodgel32.exe
436	Npccpo32.exe
1100	Oebimf32.exe
1556	Olonpp32.exe
984	Ohendqhd.exe
1928	Ojigbhlp.exe
964	Ogmhkmki.exe
2132	Pqhijbog.exe
2012	Pgbafl32.exe
896	Pkdgpo32.exe
1792	Qeohnd32.exe
1604	Qngmgjeb.exe
2692	Ajpjakhc.exe
2092	Achojp32.exe
3056	Biojif32.exe
2668	Beejng32.exe
2576	Blobjaba.exe
524	Bmclhi32.exe
2760	Bobhal32.exe
2924	Cacacg32.exe

Loads dropped DLL 64 IoCs

pid	Process
1688	4dc0da2b2063d13008a1543d8813edfeaad02b26afaa9d7ddda11ab795cdf6ff_NeikiAnalytics.exe
1688	4dc0da2b2063d13008a1543d8813edfeaad02b26afaa9d7ddda11ab795cdf6ff_NeikiAnalytics.exe
2688	Jgcdki32.exe
2688	Jgcdki32.exe
2712	Jfknbe32.exe
2712	Jfknbe32.exe
2852	Kjifhc32.exe
2852	Kjifhc32.exe
2768	Kebgia32.exe
2768	Kebgia32.exe
2776	Kiqpop32.exe
2776	Kiqpop32.exe
2624	Kaldcb32.exe
2624	Kaldcb32.exe
672	Lanaiahq.exe
672	Lanaiahq.exe
2820	Lfmffhde.exe
2820	Lfmffhde.exe
1748	Linphc32.exe
1748	Linphc32.exe
2020	Liplnc32.exe
2020	Liplnc32.exe
1808	Mhhfdo32.exe
1808	Mhhfdo32.exe
1112	Mhjbjopf.exe
1112	Mhjbjopf.exe
1228	Mofglh32.exe
1228	Mofglh32.exe
1636	Mmldme32.exe
1636	Mmldme32.exe
2288	Nckjkl32.exe
2288	Nckjkl32.exe
2088	Ncmfqkdj.exe
2088	Ncmfqkdj.exe
2684	Nodgel32.exe
2684	Nodgel32.exe
436	Npccpo32.exe
436	Npccpo32.exe
1100	Oebimf32.exe
1100	Oebimf32.exe
1556	Olonpp32.exe
1556	Olonpp32.exe
984	Ohendqhd.exe
984	Ohendqhd.exe
1928	Ojigbhlp.exe
1928	Ojigbhlp.exe
964	Ogmhkmki.exe
964	Ogmhkmki.exe
2132	Pqhijbog.exe
2132	Pqhijbog.exe
2012	Pgbafl32.exe
2012	Pgbafl32.exe
896	Pkdgpo32.exe
896	Pkdgpo32.exe
1792	Qeohnd32.exe
1792	Qeohnd32.exe
1604	Qngmgjeb.exe
1604	Qngmgjeb.exe
2692	Ajpjakhc.exe
2692	Ajpjakhc.exe
2092	Achojp32.exe
2092	Achojp32.exe
3056	Biojif32.exe
3056	Biojif32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lanaiahq.exe	Kaldcb32.exe
File created	C:\Windows\SysWOW64\Lanaiahq.exe	Kaldcb32.exe
File created	C:\Windows\SysWOW64\Malllmgi.dll	Kaldcb32.exe
File opened for modification	C:\Windows\SysWOW64\Oebimf32.exe	Npccpo32.exe
File created	C:\Windows\SysWOW64\Hkhfgj32.dll	Qngmgjeb.exe
File created	C:\Windows\SysWOW64\Eoqbnm32.dll	Biojif32.exe
File opened for modification	C:\Windows\SysWOW64\Kaldcb32.exe	Kiqpop32.exe
File created	C:\Windows\SysWOW64\Ihlfga32.dll	Ojigbhlp.exe
File created	C:\Windows\SysWOW64\Pgbafl32.exe	Pqhijbog.exe
File created	C:\Windows\SysWOW64\Cmelgapq.dll	Qeohnd32.exe
File opened for modification	C:\Windows\SysWOW64\Biojif32.exe	Achojp32.exe
File opened for modification	C:\Windows\SysWOW64\Kjifhc32.exe	Jfknbe32.exe
File opened for modification	C:\Windows\SysWOW64\Qeohnd32.exe	Pkdgpo32.exe
File opened for modification	C:\Windows\SysWOW64\Olonpp32.exe	Oebimf32.exe
File created	C:\Windows\SysWOW64\Ekebnbmn.dll	Mhjbjopf.exe
File created	C:\Windows\SysWOW64\Biojif32.exe	Achojp32.exe
File created	C:\Windows\SysWOW64\Aaapnkij.dll	Olonpp32.exe
File created	C:\Windows\SysWOW64\Ogmhkmki.exe	Ojigbhlp.exe
File created	C:\Windows\SysWOW64\Olonpp32.exe	Oebimf32.exe
File created	C:\Windows\SysWOW64\Nlpdbghp.dll	Pqhijbog.exe
File created	C:\Windows\SysWOW64\Pkdgpo32.exe	Pgbafl32.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Kjifhc32.exe	Jfknbe32.exe
File opened for modification	C:\Windows\SysWOW64\Nckjkl32.exe	Mmldme32.exe
File opened for modification	C:\Windows\SysWOW64\Lfmffhde.exe	Lanaiahq.exe
File created	C:\Windows\SysWOW64\Ohendqhd.exe	Olonpp32.exe
File created	C:\Windows\SysWOW64\Nckjkl32.exe	Mmldme32.exe
File created	C:\Windows\SysWOW64\Kebgia32.exe	Kjifhc32.exe
File created	C:\Windows\SysWOW64\Aaebnq32.dll	Lfmffhde.exe
File created	C:\Windows\SysWOW64\Okbekdoi.dll	Ajpjakhc.exe
File opened for modification	C:\Windows\SysWOW64\Beejng32.exe	Biojif32.exe
File created	C:\Windows\SysWOW64\Nelkpj32.dll	4dc0da2b2063d13008a1543d8813edfeaad02b26afaa9d7ddda11ab795cdf6ff_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Linphc32.exe	Lfmffhde.exe
File created	C:\Windows\SysWOW64\Bohnbn32.dll	Kiqpop32.exe
File created	C:\Windows\SysWOW64\Ajpjakhc.exe	Qngmgjeb.exe
File created	C:\Windows\SysWOW64\Imklkg32.dll	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Bpmiamoh.dll	Kebgia32.exe
File opened for modification	C:\Windows\SysWOW64\Jfknbe32.exe	Jgcdki32.exe
File created	C:\Windows\SysWOW64\Pqhijbog.exe	Ogmhkmki.exe
File created	C:\Windows\SysWOW64\Jgcdki32.exe	4dc0da2b2063d13008a1543d8813edfeaad02b26afaa9d7ddda11ab795cdf6ff_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mofglh32.exe	Mhjbjopf.exe
File created	C:\Windows\SysWOW64\Nodgel32.exe	Ncmfqkdj.exe
File created	C:\Windows\SysWOW64\Qeohnd32.exe	Pkdgpo32.exe
File created	C:\Windows\SysWOW64\Achojp32.exe	Ajpjakhc.exe
File opened for modification	C:\Windows\SysWOW64\Achojp32.exe	Ajpjakhc.exe
File created	C:\Windows\SysWOW64\Mhjbjopf.exe	Mhhfdo32.exe
File created	C:\Windows\SysWOW64\Chdqghfp.dll	Ohendqhd.exe
File opened for modification	C:\Windows\SysWOW64\Ajpjakhc.exe	Qngmgjeb.exe
File opened for modification	C:\Windows\SysWOW64\Bobhal32.exe	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Kmikde32.dll	Kjifhc32.exe
File created	C:\Windows\SysWOW64\Cnjgia32.dll	Ncmfqkdj.exe
File opened for modification	C:\Windows\SysWOW64\Qngmgjeb.exe	Qeohnd32.exe
File created	C:\Windows\SysWOW64\Ggfblnnh.dll	Liplnc32.exe
File created	C:\Windows\SysWOW64\Kiqpop32.exe	Kebgia32.exe
File created	C:\Windows\SysWOW64\Liplnc32.exe	Linphc32.exe
File created	C:\Windows\SysWOW64\Npccpo32.exe	Nodgel32.exe
File opened for modification	C:\Windows\SysWOW64\Kebgia32.exe	Kjifhc32.exe
File opened for modification	C:\Windows\SysWOW64\Ncmfqkdj.exe	Nckjkl32.exe
File created	C:\Windows\SysWOW64\Bobhal32.exe	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Jfknbe32.exe	Jgcdki32.exe
File created	C:\Windows\SysWOW64\Mmdgdp32.dll	Achojp32.exe
File created	C:\Windows\SysWOW64\Blobjaba.exe	Beejng32.exe
File created	C:\Windows\SysWOW64\Opacnnhp.dll	Blobjaba.exe
File created	C:\Windows\SysWOW64\Kgdjgo32.dll	Nckjkl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2044	2924	WerFault.exe	63

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lanaiahq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqhijbog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opacnnhp.dll"	Blobjaba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Linphc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mhhfdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mhhfdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eioojl32.dll"	Pkdgpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qngmgjeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdgdp32.dll"	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bohnbn32.dll"	Kiqpop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpmbcmh.dll"	Linphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqhijbog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qngmgjeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hebpjd32.dll"	Jgcdki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kebgia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liplnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Biojif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kjifhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbiaa32.dll"	Mhhfdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgmgbeon.dll"	Mofglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojigbhlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pkdgpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qeohnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmldme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmelgapq.dll"	Qeohnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bobhal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lfmffhde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnjgia32.dll"	Ncmfqkdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nelkpj32.dll"	4dc0da2b2063d13008a1543d8813edfeaad02b26afaa9d7ddda11ab795cdf6ff_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mofglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nodgel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgbafl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liplnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggfblnnh.dll"	Liplnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mhjbjopf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jgcdki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Malllmgi.dll"	Kaldcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlpdbghp.dll"	Pqhijbog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcqjacl.dll"	Jfknbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgdjgo32.dll"	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdqghfp.dll"	Ohendqhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpodeegi.dll"	Ogmhkmki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qeohnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihmnkh32.dll"	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldeamlkj.dll"	Pgbafl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	4dc0da2b2063d13008a1543d8813edfeaad02b26afaa9d7ddda11ab795cdf6ff_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmikde32.dll"	Kjifhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmldme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oackeakj.dll"	Nodgel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nckjkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kiqpop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mhjbjopf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaapnkij.dll"	Olonpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ohendqhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmiamoh.dll"	Kebgia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kebgia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pkdgpo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2688	1688	4dc0da2b2063d13008a1543d8813edfeaad02b26afaa9d7ddda11ab795cdf6ff_NeikiAnalytics.exe	28
PID 1688 wrote to memory of 2688	1688	4dc0da2b2063d13008a1543d8813edfeaad02b26afaa9d7ddda11ab795cdf6ff_NeikiAnalytics.exe	28
PID 1688 wrote to memory of 2688	1688	4dc0da2b2063d13008a1543d8813edfeaad02b26afaa9d7ddda11ab795cdf6ff_NeikiAnalytics.exe	28
PID 1688 wrote to memory of 2688	1688	4dc0da2b2063d13008a1543d8813edfeaad02b26afaa9d7ddda11ab795cdf6ff_NeikiAnalytics.exe	28
PID 2688 wrote to memory of 2712	2688	Jgcdki32.exe	29
PID 2688 wrote to memory of 2712	2688	Jgcdki32.exe	29
PID 2688 wrote to memory of 2712	2688	Jgcdki32.exe	29
PID 2688 wrote to memory of 2712	2688	Jgcdki32.exe	29
PID 2712 wrote to memory of 2852	2712	Jfknbe32.exe	30
PID 2712 wrote to memory of 2852	2712	Jfknbe32.exe	30
PID 2712 wrote to memory of 2852	2712	Jfknbe32.exe	30
PID 2712 wrote to memory of 2852	2712	Jfknbe32.exe	30
PID 2852 wrote to memory of 2768	2852	Kjifhc32.exe	31
PID 2852 wrote to memory of 2768	2852	Kjifhc32.exe	31
PID 2852 wrote to memory of 2768	2852	Kjifhc32.exe	31
PID 2852 wrote to memory of 2768	2852	Kjifhc32.exe	31
PID 2768 wrote to memory of 2776	2768	Kebgia32.exe	32
PID 2768 wrote to memory of 2776	2768	Kebgia32.exe	32
PID 2768 wrote to memory of 2776	2768	Kebgia32.exe	32
PID 2768 wrote to memory of 2776	2768	Kebgia32.exe	32
PID 2776 wrote to memory of 2624	2776	Kiqpop32.exe	33
PID 2776 wrote to memory of 2624	2776	Kiqpop32.exe	33
PID 2776 wrote to memory of 2624	2776	Kiqpop32.exe	33
PID 2776 wrote to memory of 2624	2776	Kiqpop32.exe	33
PID 2624 wrote to memory of 672	2624	Kaldcb32.exe	34
PID 2624 wrote to memory of 672	2624	Kaldcb32.exe	34
PID 2624 wrote to memory of 672	2624	Kaldcb32.exe	34
PID 2624 wrote to memory of 672	2624	Kaldcb32.exe	34
PID 672 wrote to memory of 2820	672	Lanaiahq.exe	35
PID 672 wrote to memory of 2820	672	Lanaiahq.exe	35
PID 672 wrote to memory of 2820	672	Lanaiahq.exe	35
PID 672 wrote to memory of 2820	672	Lanaiahq.exe	35
PID 2820 wrote to memory of 1748	2820	Lfmffhde.exe	36
PID 2820 wrote to memory of 1748	2820	Lfmffhde.exe	36
PID 2820 wrote to memory of 1748	2820	Lfmffhde.exe	36
PID 2820 wrote to memory of 1748	2820	Lfmffhde.exe	36
PID 1748 wrote to memory of 2020	1748	Linphc32.exe	37
PID 1748 wrote to memory of 2020	1748	Linphc32.exe	37
PID 1748 wrote to memory of 2020	1748	Linphc32.exe	37
PID 1748 wrote to memory of 2020	1748	Linphc32.exe	37
PID 2020 wrote to memory of 1808	2020	Liplnc32.exe	38
PID 2020 wrote to memory of 1808	2020	Liplnc32.exe	38
PID 2020 wrote to memory of 1808	2020	Liplnc32.exe	38
PID 2020 wrote to memory of 1808	2020	Liplnc32.exe	38
PID 1808 wrote to memory of 1112	1808	Mhhfdo32.exe	39
PID 1808 wrote to memory of 1112	1808	Mhhfdo32.exe	39
PID 1808 wrote to memory of 1112	1808	Mhhfdo32.exe	39
PID 1808 wrote to memory of 1112	1808	Mhhfdo32.exe	39
PID 1112 wrote to memory of 1228	1112	Mhjbjopf.exe	40
PID 1112 wrote to memory of 1228	1112	Mhjbjopf.exe	40
PID 1112 wrote to memory of 1228	1112	Mhjbjopf.exe	40
PID 1112 wrote to memory of 1228	1112	Mhjbjopf.exe	40
PID 1228 wrote to memory of 1636	1228	Mofglh32.exe	41
PID 1228 wrote to memory of 1636	1228	Mofglh32.exe	41
PID 1228 wrote to memory of 1636	1228	Mofglh32.exe	41
PID 1228 wrote to memory of 1636	1228	Mofglh32.exe	41
PID 1636 wrote to memory of 2288	1636	Mmldme32.exe	42
PID 1636 wrote to memory of 2288	1636	Mmldme32.exe	42
PID 1636 wrote to memory of 2288	1636	Mmldme32.exe	42
PID 1636 wrote to memory of 2288	1636	Mmldme32.exe	42
PID 2288 wrote to memory of 2088	2288	Nckjkl32.exe	43
PID 2288 wrote to memory of 2088	2288	Nckjkl32.exe	43
PID 2288 wrote to memory of 2088	2288	Nckjkl32.exe	43
PID 2288 wrote to memory of 2088	2288	Nckjkl32.exe	43

C:\Users\Admin\AppData\Local\Temp\4dc0da2b2063d13008a1543d8813edfeaad02b26afaa9d7ddda11ab795cdf6ff_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4dc0da2b2063d13008a1543d8813edfeaad02b26afaa9d7ddda11ab795cdf6ff_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\Jgcdki32.exe
  C:\Windows\system32\Jgcdki32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\Jfknbe32.exe
    C:\Windows\system32\Jfknbe32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\Kjifhc32.exe
      C:\Windows\system32\Kjifhc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Windows\SysWOW64\Kebgia32.exe
        
        C:\Windows\system32\Kebgia32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
      - C:\Windows\SysWOW64\Kiqpop32.exe
        
        C:\Windows\system32\Kiqpop32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Kaldcb32.exe
        
        C:\Windows\system32\Kaldcb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Lanaiahq.exe
        
        C:\Windows\system32\Lanaiahq.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\SysWOW64\Lfmffhde.exe
        
        C:\Windows\system32\Lfmffhde.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\Linphc32.exe
        
        C:\Windows\system32\Linphc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Liplnc32.exe
        
        C:\Windows\system32\Liplnc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\Mhhfdo32.exe
        
        C:\Windows\system32\Mhhfdo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\Mhjbjopf.exe
        
        C:\Windows\system32\Mhjbjopf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\SysWOW64\Mofglh32.exe
        
        C:\Windows\system32\Mofglh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\Mmldme32.exe
        
        C:\Windows\system32\Mmldme32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Nckjkl32.exe
        
        C:\Windows\system32\Nckjkl32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Ncmfqkdj.exe
        
        C:\Windows\system32\Ncmfqkdj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Nodgel32.exe
        
        C:\Windows\system32\Nodgel32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Npccpo32.exe
        
        C:\Windows\system32\Npccpo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:436
        
        C:\Windows\SysWOW64\Oebimf32.exe
        
        C:\Windows\system32\Oebimf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1100
        
        C:\Windows\SysWOW64\Olonpp32.exe
        
        C:\Windows\system32\Olonpp32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Ohendqhd.exe
        
        C:\Windows\system32\Ohendqhd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:984
        
        C:\Windows\SysWOW64\Ojigbhlp.exe
        
        C:\Windows\system32\Ojigbhlp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Ogmhkmki.exe
        
        C:\Windows\system32\Ogmhkmki.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:964
        
        C:\Windows\SysWOW64\Pqhijbog.exe
        
        C:\Windows\system32\Pqhijbog.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Pgbafl32.exe
        
        C:\Windows\system32\Pgbafl32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Pkdgpo32.exe
        
        C:\Windows\system32\Pkdgpo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Qeohnd32.exe
        
        C:\Windows\system32\Qeohnd32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Qngmgjeb.exe
        
        C:\Windows\system32\Qngmgjeb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Ajpjakhc.exe
        
        C:\Windows\system32\Ajpjakhc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Achojp32.exe
        
        C:\Windows\system32\Achojp32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Biojif32.exe
        
        C:\Windows\system32\Biojif32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Beejng32.exe
        
        C:\Windows\system32\Beejng32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Blobjaba.exe
        
        C:\Windows\system32\Blobjaba.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Bmclhi32.exe
        
        C:\Windows\system32\Bmclhi32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:524
        
        C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        37⤵
        Executes dropped EXE
        
        PID:2924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 140
        38⤵
        Program crash
        
        PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Achojp32.exe

Filesize
125KB

MD5
80e8fae9ed714197e3a1b84603a0a2f4

SHA1
abdf218ca646bff63e38cdf08e3eadeb2f9a6742

SHA256
a873e9b6a8d096ccd32c4664b1f9b10183ed6390168061afaff7eda6a5158806

SHA512
817b43774c330f941ed25f26dbcc19f48d15b285c53d2d7150f86eb40713ecfd820a7c05e8fafa2b24656f67d1aa15d88feee391e60faf370a986f22fa325c86

Download Submit
C:\Windows\SysWOW64\Ajpjakhc.exe

Filesize
125KB

MD5
47d4ed8f0a62310cd0b5512fad77f207

SHA1
480422d5cc091e3dcfadeb93bc7097d3a9dabee9

SHA256
cc7e01e3dd9d820cdee5a964f2068d0bc87d93514f1a43049805fdf8cdf64876

SHA512
be8c1cc17dca88345bfee08cea23b2aef2fc1bac4903f75a7888ecaf78fec73e2a7fd72baef81da78981d72ea2814c65255dab12f9199c8bf985eb216b231ee0

Download Submit
C:\Windows\SysWOW64\Beejng32.exe

Filesize
125KB

MD5
bc7fd7f793c79350c2a9b80fd5ad5be0

SHA1
580c5045ca28dc7f61879ad15e0a38044abe3f83

SHA256
d5d378095772382dc4bd9bc9c05bd127db64bfb01ec8d404743937ce4aa1137e

SHA512
50f4ade900b43e5baccf49bc36e28e17748c8f3e98dff5e2c535f3a78ca6182ea96fb7d102ded7f840616b7055b8fd46167643b00ccac44cbec0443ebd0610c6

Download Submit
C:\Windows\SysWOW64\Biojif32.exe

Filesize
125KB

MD5
f6fe64f6c8005ef90f6afce51440415e

SHA1
9a402acda74430a96b296254f1a5de3e2f6fb2b0

SHA256
9dd89c0e9ae561dfb1748b3bd5db0dee83c830d5ba63a9dcdf60c6d989282df7

SHA512
e10b8fbfb13098a1a2e8f6c46ce677db189f7f72463f0717391de2f2766d045fcb764d740dea65a5c1a469097c74cf073580cb712d6ca8a17998ef9f6406ec64

Download Submit
C:\Windows\SysWOW64\Blobjaba.exe

Filesize
125KB

MD5
2feaf4c92db9aa509ff8e728c17ece79

SHA1
8b5228dda04d7a9ebd41f0e3abe62a4fa0afed4d

SHA256
09ae3cc23170ab4ad73a0191cc3fec3166c36a0755980d059d44c2f85d1a4d9c

SHA512
d3453ff73466286e63197153517f2a3e4cadf30da2ba534c983139e0794fd31f9fa23b62580ca2b6f9fbf9c4041865fb362b11d58fcad9034f96e0a40b7c2d6e

Download Submit
C:\Windows\SysWOW64\Bmclhi32.exe

Filesize
125KB

MD5
d4334cff3d4bbac80c4a809f197ff5fe

SHA1
897cd141e7d4c631d496c4d941ce9fa549ff5ce2

SHA256
5441dc1323dcbadc8044cf5db4e53ff04589d508af8c20707372b71967578d04

SHA512
b15028ddb9dc8a22e6555d40fe2636ea48681ebab6641877a924441aee838777cfd60c8a9f869db8dea9426d084606f776bba62e5277d0111ac8e9d0ad483982

Download Submit
C:\Windows\SysWOW64\Bobhal32.exe

Filesize
125KB

MD5
930ae8fc24d08d56e8d9d9f9b99ae91a

SHA1
64056c6d9c3adbd0b2d1fdd5a373733a66808f81

SHA256
74f22288ef95b1ad27da82387c07e908b07d3cff2409b75320b35a023feb06e8

SHA512
3acc4ea169ef504eb416eacf6a9618a29333a7c7e447b60f4674149ebc5d88ac8d892c7679f0ff8f6b0ff1e6c79bc001f5b51c435efb754e1a7fc6b7f6e4b3aa

Download Submit
C:\Windows\SysWOW64\Bpmiamoh.dll

Filesize
7KB

MD5
aa0eff36c2b99979b5309785eec24eec

SHA1
94b92d8e02b2a979a860b29e89e409b484f8a566

SHA256
04441a6d037240efe36ffea255e92d105fe359079807745c5eb93f7bf92c761c

SHA512
150bc46b7af66b078a206151b7fdda721a67322d954d3035b66a305ecee656cb9da3446927e18390c419670c9c2a0d4e1a273cfd6c53cda9304466d1388efea4

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
125KB

MD5
de4746905059fdb8cc412cdaed20cab6

SHA1
d6e60ff651519e90cbd26121bc8d644efae3c621

SHA256
490ad59615563ade6a7857631e943435413a67c8dbd2248a8eb90198548a6e93

SHA512
580c390c51d7c586579b1359954e975c9aeb181c0487ed7e65c056f7161f5be10aad7b7077547be1297bf7d4ee98d1b574920abd53fa29a3b8db7bfc002b4289

Download Submit
C:\Windows\SysWOW64\Kebgia32.exe

Filesize
125KB

MD5
74c24f784429640a9c7268ba40ca3483

SHA1
d330d48c63cc915854dd65a8b1c8a47c1fcc407c

SHA256
054a6b11fed18a533c4aaced7627587b45d6c9e6c3851408ab3bd5e171f26a3a

SHA512
d1d70c0ec72ec11f385302fdbf3b4f7cefe0b2c09d39cd8f0bff530e94aa9c15734e47793c48e05eb3d43ce7ddeb6601bdee03bf3b219a39fb2798833576a568

Download Submit
C:\Windows\SysWOW64\Mmldme32.exe

Filesize
125KB

MD5
b8439b37ce18d28d457a05e14fd7d8e1

SHA1
98b3127df37873cab02604fb96b93b454d1cd605

SHA256
c7629a58079dbd42077ab517f630ed3770cbcd0efb6a6de4209851e482611504

SHA512
c9f3566b61ddff9b264428579141ae96180a6fef1319477e97f52191b8ffc6ce4f3d32fb9726e996a541ae5dd7eb8eab4a4abf71eb74283a62d7b568c8c371cf

Download Submit
C:\Windows\SysWOW64\Nodgel32.exe

Filesize
125KB

MD5
2a7ff94927bc5b2ab125097b8b195622

SHA1
eec72c774c51052a4d8f47c5fb7962d20cacb1ef

SHA256
a1de6d857d3e01146fd1713f6a0f8fafd2b00d27b8350ed213a0106734af7c10

SHA512
e3a5c8b519dc6eb9a85bbaa6637760f7f2085d31d985ba5103ce90454b1b7e654bb0d1a32106db0884fc254840f133f1e8f024dfb6db73beab8e9a38852d576f

Download Submit
C:\Windows\SysWOW64\Npccpo32.exe

Filesize
125KB

MD5
f944859181b5bbdc3f433aab5be91b74

SHA1
fb7e0cf42543a53e363c13ddd18f91f97442a843

SHA256
e8439dd13a50f70badf786f88ab7403d12b3de2825cde73105ce979516df7401

SHA512
185a266900b67b3d5b037aeb431117e998deeea99f8085a1ae564458e9e2e114a2d410d22f5e3aa3113e52a65c69099c27ac59dde3d513fa432bdacd1d8a1b74

Download Submit
C:\Windows\SysWOW64\Oebimf32.exe

Filesize
125KB

MD5
f96a4ff7a5b309092ba6ba6f10d987c1

SHA1
c782169c11f6255a6f363ce2cbd6eda5737452b8

SHA256
34011202d3c711294b2a29ba2d8ddb7ca7fc5fd7c54158b8a9c5a4a06a02a031

SHA512
c74f2fca479ca8f71dc85ac26d422f3d5510354a1de69ca850522161a981e33f622d06a2c68af9199e7aeeac430162fccaf35c84c544754ca8f618eb13fda53c

Download Submit
C:\Windows\SysWOW64\Ogmhkmki.exe

Filesize
125KB

MD5
85c5a491605330ea510bc4bf1c86a26d

SHA1
27f6caccabbc24b98e885c01444c9a63e4fc0603

SHA256
8fe316d682b3b67e9611c5cca4c5e13298cc7539873452f06861cead27b7df8b

SHA512
83e9d6f277ae1a6f1d957036db4085e2adacdaf94cdba3a5aeda8b86d80813efc1b9149a35606713c95a295e8aa876b4c1fb3a6a18a695467fd743ecc05d9bfc

Download Submit
C:\Windows\SysWOW64\Ohendqhd.exe

Filesize
125KB

MD5
ae704981c943a9cbbe5292964c5eca08

SHA1
0c527464a4e2fc0bac966c914c2315634417c4b1

SHA256
57563cfc97199e74414ee568f16d2ce301a51fd6a9f15d8dc5ce20eaf453f018

SHA512
68c009a5052aaefa196865df5abe34473e36e79cd9d360df396c303bbf9292a8262e79a9ee7e7a8ce0e0dea6b144f1b541a1a63449095755622e04deb04c3877

Download Submit
C:\Windows\SysWOW64\Ojigbhlp.exe

Filesize
125KB

MD5
14fe1ca2f2677805a8757fb52e080b52

SHA1
ecef886601789e5fc05244ba427333a842e06a2c

SHA256
a5620da18bd965585fdf44d1b4f0bbbd0692aebf169cd6cf2d5e2dcd7dd9ef17

SHA512
7d4a7abd96d28427b3f9c05613ad1505b52271c9af1d18548f7a2a65716590006bcf9835387f3a1357bd9bd8d885e7981eb0b598b7f037da12202510984aa4bb

Download Submit
C:\Windows\SysWOW64\Olonpp32.exe

Filesize
125KB

MD5
701ebcb5f526f3a351d69e1597865163

SHA1
125b41767898af81eccd1f4d4f1bb5863cfe6342

SHA256
4ba5be6eb8b7f0675ebab5454e44709799ac83ae4dd11a595f623bedf6533008

SHA512
9afc50a7c071322a48c634c27e439a4bf160fd6fc2bf86556fb45ad5cfd72cb694eabb26616f6f52818942bdb90b131ff5fce6dc92a5f0cf0c360b7af640a3a7

Download Submit
C:\Windows\SysWOW64\Pgbafl32.exe

Filesize
125KB

MD5
f402c136160a1fe3797036ef7944b062

SHA1
1d235379eb179b2774dd5b7c18d90c9e5bb06f0b

SHA256
6520956204129a9bfdc8c34ed0b2406e8a09cb2478a55ffa9f315b31f1db3aed

SHA512
641017eb90737e873bda42992dbd2298af5e56f53c4b536e8b779f8bc719781c05b83a2cae59b517284c3eb00d46bcb677e7b012ab941dc52dcfd6a4c817f112

Download Submit
C:\Windows\SysWOW64\Pkdgpo32.exe

Filesize
125KB

MD5
733cf9aa17b6bc9af9a84f1a42a1cf18

SHA1
6eed1cedb0a95a1259a366b46495b5210d4ea365

SHA256
97378f8210a43d58d9df2c131cfc7c02d9a739ec0074390b7846ca09e52b1de2

SHA512
2f0b632922a395b5fbdbf69f4443c8ef6910172ea55fe46b487077b7aed9ea73c35384220f43799df1a01c3a47b4d230656ae15ba0ae57f13f5329b4291b92c1

Download Submit
C:\Windows\SysWOW64\Pqhijbog.exe

Filesize
125KB

MD5
0f5d7115dd024f8186f99b76fc02e33a

SHA1
684d509c7ea73fb535447f13bb3cc5183054e888

SHA256
934e8fd0ef0532ebd6764cab5789e7af5b418f573274a204ea8c78fe81419f61

SHA512
0a482fbc33c5c93cc877df0bd39f5f642ee9cdb76d9a328fb388cee63ef4f9c33163232913de7f7b6c45170b4452429e9566f215e5fdae4388af91fbb29a308a

Download Submit
C:\Windows\SysWOW64\Qeohnd32.exe

Filesize
125KB

MD5
7cdda8831b512e665d346b44d01ed7fb

SHA1
929cd576ededeb54453fa23fcc35538fb8434ed2

SHA256
ce3e86e2bd8cf7b37482b523a4cad5e9d241147c939ba9c584bdd93c1af29545

SHA512
9abd600734a90e426be497619cfd8b9713f660aee5629e4f7bc1ca9d022a90eff4c0969dcf69a22e4eb63dae3cc3af289f9386313e9ebbd5c2e54a7081a93dfd

Download Submit
C:\Windows\SysWOW64\Qngmgjeb.exe

Filesize
125KB

MD5
db6863790e17a90bc577ea5c246e0325

SHA1
ada55e436adb6b04824fad31e167005bf2fde643

SHA256
88de5f063e77991fdcd4bf8114126f0e96f2840ce682d75ef21949333fa20b0e

SHA512
391484834e9d350c7de5ace8e764df486032f130feab4e319702f93e263f701a3fa5b6012d292dcda98ef88fb816b73e8cbd5256942ad6fcd619ef200634f2b2

Download Submit
\Windows\SysWOW64\Jfknbe32.exe

Filesize
125KB

MD5
6bc9a46e775054441d018d09f3c70a49

SHA1
52151fbf5226e21058cdd2110fd46980f6239553

SHA256
3eda18c5bce06909c0590c707edd59dd057e17793c8d14793ad3b30e333b4168

SHA512
be19d89a58abc140a54f2eff43e3c62fb82879664bbe9dc5cefb5eaea0b9fbe32ed3e4180e8303ed63b27c5cc53c79dcae21286657f4b6d7c9b1352843251ce1

Download Submit
\Windows\SysWOW64\Jgcdki32.exe

Filesize
125KB

MD5
7ac904f3e447024a3b874d6362f857f3

SHA1
5e35a72162a91cf7b23366807f4e46dc572ac4ea

SHA256
3ea0e1c0ece74a756e71db566f4ed3b57be66b85cb586ea337b0f970dad4d302

SHA512
45671206eefbe7a6199a76872c3a76aa443a5f76db4c05958a89a0a967251d5c2f42b514859f91599bf7a077609e107ee7b43e6ff8d141c523cc42655670fd66

Download Submit
\Windows\SysWOW64\Kaldcb32.exe

Filesize
125KB

MD5
b18bd8aca9c0fbeab12917314c9d80b6

SHA1
214ae49c63054bc6ef941d1df3af6405052e2aa7

SHA256
fe7fea7876aecbaf8944bd4e8508f9651a9b981901f4d4c8e78730b4debfb7e6

SHA512
1352b4145de54cc94f59aaead050e55721d6f9c10187f120d3f3ba146c8b5ecefcfe7cc9c5bf2beb2945af33fdff0568a287fecd1824c3c4487bdda130e86fce

Download Submit
\Windows\SysWOW64\Kiqpop32.exe

Filesize
125KB

MD5
c4f1e9ff89046d51686fe1051aadd3e4

SHA1
98727659ba4a58c6c1dbfae4b0019f7eec08c175

SHA256
1db76f8dfdfc6688e0077037948a1dffb176930d537c4315cc117eafd3a787c3

SHA512
becd3cbef0b61a6f8d393dff4152629c4e05ce328a52537e5e597f8cb76684270456de79dcc3f352b2384b33d38f8051ee98527655f83ef8e04633dff3ce3d2a

Download Submit
\Windows\SysWOW64\Kjifhc32.exe

Filesize
125KB

MD5
7ef9efe1b726b45c5cf310b5a1319c36

SHA1
b27dd95fb3ed1a2cb89b8be2d5f62a7076db612b

SHA256
ffde6c38b3bde13bcb9a1951939100bd35c5f92d938bc84f58b1138db810a768

SHA512
fde7bbeb165591b1b157b2685e7574188ca3945b22d2094f2b047518199e37052b4fc0217c62f332dbc9c8a75f6d5b578fd679f22beea6e548447233b78ac871

Download Submit
\Windows\SysWOW64\Lanaiahq.exe

Filesize
125KB

MD5
61281b83b6fe6e12791e4518a293d63e

SHA1
2cc0ff66385c091d2806635c2950095884cebcac

SHA256
9ca0e7d739ce27d478916dbce1bd91c5c9bc8558aa814b28661eca6f7800a8cd

SHA512
875aefae74bc8f876e29734b7a21366ed74dcc84a0329dae92aa51ddfe2de7a2a7e6433bbb1f332694f089c33155b10b4a20646afc001a7e7c8ef884529290e4

Download Submit
\Windows\SysWOW64\Lfmffhde.exe

Filesize
125KB

MD5
993193e1d25958af5a1edcf4b2bf9ae7

SHA1
81c8b8b561980dae83b96f60eaf8f4df70c5da4f

SHA256
9ccf683d60fa37cdaa446f2d2074c64a003e7afb8604552cb7388c7432bea8a3

SHA512
babb31a83e7da2585b1eb7d7371502d64b76a185bf3519a0f85f9755b58ec47a59512cd09845d5e2dd163b3486ec9fc8eed70ade9aea1c07408d5eb2a3c5f4f3

Download Submit
\Windows\SysWOW64\Linphc32.exe

Filesize
125KB

MD5
f786b2974deaad40a413c489f66b26c8

SHA1
86c413ecf31307e55e6589e1f5e7dd83b26d966a

SHA256
61c961a5a57c74e148a887389be734a6a616e63831b6c7e8ad9f1ad2223fe2c5

SHA512
8085fba0e198d329e9ef75412a78acd7d7cde2a41e50296db3dc0915734edbff137679dd3667b113567b0491791146b8c9477452f722a2b9da2375e3472552c1

Download Submit
\Windows\SysWOW64\Liplnc32.exe

Filesize
125KB

MD5
cfefe7b1a8a51c4ffdeae3d77bb4e32a

SHA1
cf49024bd888670a3fa8dfeaba9158fbb5f5ff1c

SHA256
8e83d7a2ea166042205ec1bda7fefb416e3a808e926c7ca650ad6ebdec4f1ce2

SHA512
455d73e27ba6d19e37283036fd1f311bc2c4c0582e7d5889b3dfcb0b21e84ed6c6cb1e6155e304f882603bdac019ce3d948c0f7656ea8da98f9bc59351bd57f2

Download Submit
\Windows\SysWOW64\Mhhfdo32.exe

Filesize
125KB

MD5
0ff9780351e858a4225ba59e6efee477

SHA1
7b88e0f2589cbc92f5dafaceed3e563685bda4e6

SHA256
70ae879bda3e62ef6dbfda69e0a1811aa90996bc32146ee6b72225381a7a2421

SHA512
a2c9b495ecbbaed2ad9adefdfe0102286e4c75a8f00f217477144575b6dbb8b1aa0e6285d7378a2888f4e2e42587790512bbf619ce4267afe9da2016850c0d5b

Download Submit
\Windows\SysWOW64\Mhjbjopf.exe

Filesize
125KB

MD5
9322c67b3390021abb87757ab72721c7

SHA1
d6bed29e600d77632d9737b0fdb9394a9ca098ea

SHA256
0d18531479b4816cacd63c302a3b3f9bb1a0d1fe6dbcce9b66be533442dd214c

SHA512
8e9e49e9eb525c770632aa3996411ce6b0793553c633ba5e8e15bcb8382922ae90b6597573df02a606f931c0a2723ff2e34d35dbfe19ed9ab2186a3e2f97d703

Download Submit
\Windows\SysWOW64\Mofglh32.exe

Filesize
125KB

MD5
592be8f8e048f7b18ef5d906caadb580

SHA1
921c7e976a62755691064b5c70a91969b7e697a7

SHA256
d0784ec6593cee8488084c09fc6ebe4d1822f0f58affad6b5fdbce1b04000a0a

SHA512
ac4749fbb77a8cbfbfa358ee2717abdd02736c6264245c8a02d337e99713a6c82ad34884f1e812df14e15e1edc5f6bceb39f4f14891eacb8dddb884383696b3d

Download Submit
\Windows\SysWOW64\Nckjkl32.exe

Filesize
125KB

MD5
6b5485c683e86c40f24a846230b4c5c7

SHA1
cc7b821a52afa9bb4106f75c50492930c9979ccb

SHA256
df559811a56cf8a4e8c9f6dbc4cfdd352495513ee9823482a61c5680568b562a

SHA512
26e761e0ec817604b27825da1b6081104f9a0a87c175653f59e3047cbc201a5aff0ad37033a44170a2a968a671655cec725d2d4ff447768703db469f5afe98b2

Download Submit
\Windows\SysWOW64\Ncmfqkdj.exe

Filesize
125KB

MD5
0af77809c79e37da315fcb41b418c181

SHA1
6dcb08e84970d72e133b7539edfc06a2696149a4

SHA256
127ee6abd4d7b9f042a47956a727594ddb130ab2fd2aa7ccb2f3ce1b1c87a621

SHA512
0a11482e2e7ed27ac6c613b0af8757aeaa047a204bad167e825728c3cc1c435bf8f5c9dc3e866da46ecc42cbf7cde963ab68bb12e1ef9fa16699da5fde7f1383

Download Submit
memory/436-445-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/436-247-0x00000000002B0000-0x00000000002F7000-memory.dmp

Filesize
284KB

Download
memory/436-239-0x00000000002B0000-0x00000000002F7000-memory.dmp

Filesize
284KB

Download
memory/524-418-0x0000000000220000-0x0000000000267000-memory.dmp

Filesize
284KB

Download
memory/524-407-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/524-417-0x0000000000220000-0x0000000000267000-memory.dmp

Filesize
284KB

Download
memory/672-437-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/896-321-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/896-338-0x00000000002C0000-0x0000000000307000-memory.dmp

Filesize
284KB

Download
memory/896-339-0x00000000002C0000-0x0000000000307000-memory.dmp

Filesize
284KB

Download
memory/964-296-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/964-297-0x0000000000220000-0x0000000000267000-memory.dmp

Filesize
284KB

Download
memory/964-298-0x0000000000220000-0x0000000000267000-memory.dmp

Filesize
284KB

Download
memory/984-276-0x00000000002D0000-0x0000000000317000-memory.dmp

Filesize
284KB

Download
memory/984-270-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/984-275-0x00000000002D0000-0x0000000000317000-memory.dmp

Filesize
284KB

Download
memory/984-447-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1100-253-0x0000000000220000-0x0000000000267000-memory.dmp

Filesize
284KB

Download
memory/1100-254-0x0000000000220000-0x0000000000267000-memory.dmp

Filesize
284KB

Download
memory/1100-249-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1112-159-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1112-167-0x0000000000220000-0x0000000000267000-memory.dmp

Filesize
284KB

Download
memory/1112-442-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1228-443-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1556-265-0x0000000000220000-0x0000000000267000-memory.dmp

Filesize
284KB

Download
memory/1556-261-0x0000000000220000-0x0000000000267000-memory.dmp

Filesize
284KB

Download
memory/1556-446-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1556-258-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1604-356-0x00000000002D0000-0x0000000000317000-memory.dmp

Filesize
284KB

Download
memory/1604-357-0x00000000002D0000-0x0000000000317000-memory.dmp

Filesize
284KB

Download
memory/1604-343-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1636-185-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1636-444-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1636-197-0x00000000002B0000-0x00000000002F7000-memory.dmp

Filesize
284KB

Download
memory/1688-6-0x0000000000450000-0x0000000000497000-memory.dmp

Filesize
284KB

Download
memory/1688-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1688-430-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1748-127-0x00000000002A0000-0x00000000002E7000-memory.dmp

Filesize
284KB

Download
memory/1748-439-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1748-126-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1792-341-0x0000000000450000-0x0000000000497000-memory.dmp

Filesize
284KB

Download
memory/1792-340-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1792-342-0x0000000000450000-0x0000000000497000-memory.dmp

Filesize
284KB

Download
memory/1808-147-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1808-441-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1928-295-0x0000000000220000-0x0000000000267000-memory.dmp

Filesize
284KB

Download
memory/1928-283-0x0000000000220000-0x0000000000267000-memory.dmp

Filesize
284KB

Download
memory/1928-277-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2012-319-0x00000000003A0000-0x00000000003E7000-memory.dmp

Filesize
284KB

Download
memory/2012-320-0x00000000003A0000-0x00000000003E7000-memory.dmp

Filesize
284KB

Download
memory/2012-314-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2020-139-0x0000000000290000-0x00000000002D7000-memory.dmp

Filesize
284KB

Download
memory/2020-440-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2088-217-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2088-222-0x00000000002C0000-0x0000000000307000-memory.dmp

Filesize
284KB

Download
memory/2092-381-0x00000000003B0000-0x00000000003F7000-memory.dmp

Filesize
284KB

Download
memory/2092-378-0x00000000003B0000-0x00000000003F7000-memory.dmp

Filesize
284KB

Download
memory/2092-365-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2132-308-0x0000000000220000-0x0000000000267000-memory.dmp

Filesize
284KB

Download
memory/2132-301-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2132-309-0x0000000000220000-0x0000000000267000-memory.dmp

Filesize
284KB

Download
memory/2288-216-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2576-411-0x0000000000220000-0x0000000000267000-memory.dmp

Filesize
284KB

Download
memory/2576-401-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2576-406-0x0000000000220000-0x0000000000267000-memory.dmp

Filesize
284KB

Download
memory/2624-92-0x00000000002A0000-0x00000000002E7000-memory.dmp

Filesize
284KB

Download
memory/2624-436-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2624-79-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2624-91-0x00000000002A0000-0x00000000002E7000-memory.dmp

Filesize
284KB

Download
memory/2668-395-0x0000000000220000-0x0000000000267000-memory.dmp

Filesize
284KB

Download
memory/2668-390-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2668-396-0x0000000000220000-0x0000000000267000-memory.dmp

Filesize
284KB

Download
memory/2684-229-0x0000000000220000-0x0000000000267000-memory.dmp

Filesize
284KB

Download
memory/2684-233-0x0000000000220000-0x0000000000267000-memory.dmp

Filesize
284KB

Download
memory/2684-227-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2688-25-0x00000000002D0000-0x0000000000317000-memory.dmp

Filesize
284KB

Download
memory/2688-431-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2692-359-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2692-364-0x0000000000450000-0x0000000000497000-memory.dmp

Filesize
284KB

Download
memory/2692-363-0x0000000000450000-0x0000000000497000-memory.dmp

Filesize
284KB

Download
memory/2712-33-0x0000000000220000-0x0000000000267000-memory.dmp

Filesize
284KB

Download
memory/2712-432-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2712-26-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2760-428-0x00000000002B0000-0x00000000002F7000-memory.dmp

Filesize
284KB

Download
memory/2760-424-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2768-53-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2768-434-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2776-435-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2776-67-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2820-438-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2820-106-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2852-433-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2852-40-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2924-429-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3056-389-0x00000000002C0000-0x0000000000307000-memory.dmp

Filesize
284KB

Download
memory/3056-379-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads